cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
431
Views
0
Helpful
3
Replies

Prevent Cisco ISE Provisioning from Downgrading ISE Compliance Module

edwardonelife
Level 1
Level 1

Hi,

We have the following setup

- AnyConnect NAM (4.9.6037) with ISE Posture (4.9.6037) & Compliance Modules (4.3.2099)

edwardonelife_1-1716718384009.png

We would like to upgrade to ISE Compliance Module 4.3.4065.8192 on a few TEST machines without having to change the AnyConnect profile file for all machines and without having to create new policies to target the machines. When we do a standalone upgrade on some desktops, they get downloaded once they connect to the network and get provisioned by ISE.

Is there a setting that can tell ISE to ignore endpoints running a newer version of the compliance module? Would the below settings help in anyway?

edwardonelife_0-1716717288223.png

Deferred Update
Allowed for AnyConnect Software
 
If set to 'Yes', the end user can defer the update as long as they already meet the minimum version in the setting below, for all required AnyConnect modules.
Minimum Version Required for AnyConnect Software
Format is 'n.n.n'. '0.0.0' means no minimum version is required. '3' means minimum version is 3.0.0, '3.2' means minimum is 3.2.0.
Allowed for Compliance Module
 
If set to 'Yes', the end user can defer the update as long as they already meet the minimum version in the setting below.
Minimum Version Required for Compliance Module
Format is 'n.n.n.n'. '0.0.0.0' means no minimum version is required. '3' means minimum version is 3.0.0.0, '3.6' means minimum is 3.6.0.0, and so on.
Prompt Auto Dismiss Timeout
The number of seconds that the deferred update prompt is displayed before being dismissed automatically. 'None' means the prompt can only be dismissed by the user. A '0' value and a 'defer' value for the response setting below will force a deferral of the software update.
Prompt Auto Dismiss Default Response
 
The action taken when the prompt is automatically dismissed.

 

NB: Next step will be to upgrade to CSC/AC 5.x once the compliance module is stable.

3 Replies 3

Client Provisioning Policy rules.  Use an AD group that points to the newer compliance module.

I was wondering if it’s possible to upgrade without changing the policies.

What do you mean? Why not change the policies?